mirror of
https://github.com/pomerium/pomerium.git
synced 2025-04-29 18:36:30 +02:00
5568606f03
Add a new match_subject_alt_names option to the downstream_mtls settings group. This setting can be used to further constrain the allowed client certificates by requiring that certificates contain a Subject Alternative Name of a particular type, matching a particular regex. When set, populate the corresponding match_typed_subject_alt_names setting within Envoy, and also implement a corresponding check in the authorize service.
169 lines
5.7 KiB
Go
169 lines
5.7 KiB
Go
package config
|
|
|
|
import (
|
|
"os"
|
|
"path/filepath"
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
func TestDownstreamMTLSSettingsGetCA(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
fakeCACert := []byte("--- FAKE CA CERT ---")
|
|
caFile := filepath.Join(t.TempDir(), "CA.pem")
|
|
os.WriteFile(caFile, fakeCACert, 0644)
|
|
|
|
cases := []struct {
|
|
label string
|
|
settings DownstreamMTLSSettings
|
|
expected []byte
|
|
}{
|
|
{"not set", DownstreamMTLSSettings{}, nil},
|
|
{"CA", DownstreamMTLSSettings{CA: "LS0tIEZBS0UgQ0EgQ0VSVCAtLS0="}, fakeCACert},
|
|
{"CA file", DownstreamMTLSSettings{CAFile: caFile}, fakeCACert},
|
|
}
|
|
|
|
for i := range cases {
|
|
c := &cases[i]
|
|
t.Run(c.label, func(t *testing.T) {
|
|
ca, err := c.settings.GetCA()
|
|
require.NoError(t, err)
|
|
assert.Equal(t, c.expected, ca)
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestDownstreamMTLSSettingsGetCRL(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
fakeCRL := []byte("--- FAKE CRL ---")
|
|
crlFile := filepath.Join(t.TempDir(), "CRL.pem")
|
|
os.WriteFile(crlFile, fakeCRL, 0644)
|
|
|
|
cases := []struct {
|
|
label string
|
|
settings DownstreamMTLSSettings
|
|
expected []byte
|
|
}{
|
|
{"not set", DownstreamMTLSSettings{}, nil},
|
|
{"CRL", DownstreamMTLSSettings{CRL: "LS0tIEZBS0UgQ1JMIC0tLQ=="}, fakeCRL},
|
|
{"CRL file", DownstreamMTLSSettings{CRLFile: crlFile}, fakeCRL},
|
|
}
|
|
|
|
for i := range cases {
|
|
c := &cases[i]
|
|
t.Run(c.label, func(t *testing.T) {
|
|
crl, err := c.settings.GetCRL()
|
|
require.NoError(t, err)
|
|
assert.Equal(t, c.expected, crl)
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestDownstreamMTLSSettingsGetEnforcement(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
cases := []struct {
|
|
label string
|
|
settings DownstreamMTLSSettings
|
|
expected MTLSEnforcement
|
|
}{
|
|
{"default",
|
|
DownstreamMTLSSettings{}, MTLSEnforcementPolicyWithDefaultDeny,
|
|
},
|
|
{"policy",
|
|
DownstreamMTLSSettings{Enforcement: "policy"}, MTLSEnforcementPolicy,
|
|
},
|
|
{"policy_with_default_deny",
|
|
DownstreamMTLSSettings{Enforcement: "policy_with_default_deny"},
|
|
MTLSEnforcementPolicyWithDefaultDeny,
|
|
},
|
|
{"reject_connection",
|
|
DownstreamMTLSSettings{Enforcement: "reject_connection"},
|
|
MTLSEnforcementRejectConnection,
|
|
},
|
|
}
|
|
|
|
for i := range cases {
|
|
c := &cases[i]
|
|
t.Run(c.label, func(t *testing.T) {
|
|
assert.Equal(t, c.expected, c.settings.GetEnforcement())
|
|
})
|
|
}
|
|
}
|
|
|
|
func TestDownstreamMTLSSettingsGetMaxVerifyDepth(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
// MaxVerifyDepth should default to 1 if not set explicitly.
|
|
var s DownstreamMTLSSettings
|
|
assert.Equal(t, uint32(1), s.GetMaxVerifyDepth())
|
|
|
|
var maxVerifyDepth uint32
|
|
s.MaxVerifyDepth = &maxVerifyDepth
|
|
assert.Equal(t, uint32(0), s.GetMaxVerifyDepth())
|
|
|
|
maxVerifyDepth = 1
|
|
assert.Equal(t, uint32(1), s.GetMaxVerifyDepth())
|
|
|
|
maxVerifyDepth = 1000
|
|
assert.Equal(t, uint32(1000), s.GetMaxVerifyDepth())
|
|
}
|
|
|
|
func TestDownstreamMTLSSettingsValidate(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
cases := []struct {
|
|
label string
|
|
settings DownstreamMTLSSettings
|
|
errorMsg string
|
|
}{
|
|
{"not set", DownstreamMTLSSettings{}, ""},
|
|
{"both CA and CA file", DownstreamMTLSSettings{CA: "CA", CAFile: "CAFile"},
|
|
"cannot set both ca and ca_file"},
|
|
{"bad CA", DownstreamMTLSSettings{CA: "not%valid%base64%data"},
|
|
"CA: illegal base64 data at input byte 3"},
|
|
{"bad CA file", DownstreamMTLSSettings{CAFile: "-"},
|
|
"CA file: open -: no such file or directory"},
|
|
{"both CRL and CRL file", DownstreamMTLSSettings{CRL: "CRL", CRLFile: "CRLFile"},
|
|
"cannot set both crl and crl_file"},
|
|
{"bad CRL", DownstreamMTLSSettings{CRL: "dGhpc2lzZmluZQo="},
|
|
"CRL: cryptutil: non-PEM data in CRL bundle"},
|
|
{"bad CRL file", DownstreamMTLSSettings{CRLFile: "-"},
|
|
"CRL file: open -: no such file or directory"},
|
|
{"bad enforcement mode", DownstreamMTLSSettings{Enforcement: "whatever"},
|
|
"unknown enforcement option"},
|
|
{"bad SAN type", DownstreamMTLSSettings{MatchSubjectAltNames: []SANMatcher{
|
|
{Type: "whatever"},
|
|
}}, `unknown SAN type "whatever"`},
|
|
{"bad SAN match expression", DownstreamMTLSSettings{MatchSubjectAltNames: []SANMatcher{
|
|
{Type: "dns", Pattern: `[`},
|
|
}}, "couldn't parse pattern \"[\": error parsing regexp: missing closing ]: `[`"},
|
|
{"OK", DownstreamMTLSSettings{
|
|
CA: "dGhpc2lzZmluZQo=",
|
|
CRL: "LS0tLS1CRUdJTiBYNTA5IENSTC0tLS0tCk1JSUNOVENCbmdJQkFUQU5CZ2txaGtpRzl3MEJBUXNGQURBNk1SNHdIQVlEVlFRS0V4VnRhMk5sY25RZ1pHVjIKWld4dmNHMWxiblFnUTBFeEdEQVdCZ05WQkFNVEQyUnZkMjV6ZEhKbFlXMGdRMEVnTWhjTk1qTXdOekU1TWpFMQpNREUxV2hjTk16TXdOekUyTWpFMU1ERTFXcUF3TUM0d0h3WURWUjBqQkJnd0ZvQVVDeFEyY0JhNVl6cVZ6YW1wCmlOQ3g4S3dGRnlRd0N3WURWUjBVQkFRQ0FoQUFNQTBHQ1NxR1NJYjNEUUVCQ3dVQUE0SUJnUUNZYW14OHBNK1IKQ2x5c2tjdTdvdWh1L1IxSnkxbldHeVd0S3BoWXEwWEZiT0xsbmsyWjdlRGZBWDhFZWoyRmF2cXh6YXBSMngyTwo0aUpORENtaXdZWVlVUzJYMkxKM3JSUkpYeVh2V2h0ZkhyeFVSZDZCaXRDMklYcHlrQnRWbGYzekFuWjhHWkZRClMxamRmeUxNdUVBaUR3SWFpM1l0OEhzRHAvcUcwODlvWGNvU3R5UWcvdVJwbVd5MDVBOXVDVk9mTkhTTFNadTgKbHI0cWF0bGV1MHdXYlYxYW1MOHRPOXg0Q1JrTzBvMVlhUXE0RG9PcnVQciszTmtUbVB2R2lkaDNGNzFWNklFQQpoK0t6ZGJSWHhGbUNDV0xXbXBKRGNyZ1I3S1VxWk9oVVV0K0RVcWFxaFY0NHFJMG5ycFIrUVpMb2hvRG9yOUx3CksrdWZqM24yOWVTUlgrM1B4K29WV1BUOFlaUDJ1S1BkaXppOTZtZTJqV1RyNTF4OUFqRW9KRHNUbllSbDkrdVkKU2hpVXhXblRkUXNvb2tuSWZjUy8wemZnWjg3R3ZVVnppbkNRekpwd1Z4ZDRBbHQ4QWxSK2ZYQXFOSW9PZ3V5dgpwL0N0UlZualZFN2w3SFcvaFFScTFKMGlqQ0NLd215Zi9LVGQ2RUs0VGRydmJYL1U5bXNWTThZPQotLS0tLUVORCBYNTA5IENSTC0tLS0tCg==",
|
|
Enforcement: "reject_connection",
|
|
MatchSubjectAltNames: []SANMatcher{
|
|
{Type: "dns", Pattern: `.*\.corp\.example\.com`},
|
|
{Type: "email", Pattern: `.*@\.example\.com`},
|
|
{Type: "ip_address", Pattern: `192\.168\.0\..*`},
|
|
{Type: "uri", Pattern: `spiffe://example.com/department/.*`},
|
|
},
|
|
}, ""},
|
|
}
|
|
|
|
for i := range cases {
|
|
c := &cases[i]
|
|
t.Run(c.label, func(t *testing.T) {
|
|
err := c.settings.validate()
|
|
if c.errorMsg == "" {
|
|
assert.NoError(t, err)
|
|
} else {
|
|
assert.Equal(t, c.errorMsg, err.Error())
|
|
}
|
|
})
|
|
}
|
|
}
|